From 0dde13b9f1d92415d89bef2c77d9aff9690da048 Mon Sep 17 00:00:00 2001 From: Marc-Egli Date: Thu, 26 Aug 2021 13:23:54 +0200 Subject: [PATCH] upload babyrev challenge --- 20210824_babyrev/babyrev | Bin 0 -> 17392 bytes 20210824_babyrev/solver.py | 55 +++++++++++++++++++++++++++++++++++++ README.md | 20 ++++++++++++++ 3 files changed, 75 insertions(+) create mode 100755 20210824_babyrev/babyrev create mode 100644 20210824_babyrev/solver.py diff --git a/20210824_babyrev/babyrev b/20210824_babyrev/babyrev new file mode 100755 index 0000000000000000000000000000000000000000..4c2de0fba767bda7b43aa98140eeb4fbd9932d76 GIT binary patch literal 17392 zcmeHPe{fXA9pB3(5D_jx2nIxXQmp~y2pBM^)Vm}XUNAs}L{PxTC~A?|7;C$2toPHA_K(1D%mXf zyNF%ErU9SNF-`8!2uQW`PF^}K6u1>A+LdA^16`=Wj40I*DcWUAg%@cOqO4fs(XIfq zf;UqiHUtt;lI!J3T+En>7K-)}HQJ%eZOb&fZEMr%kgyvUl!Hg)CcN^G= zE)p7FO{kkUi}JGd!*e2zM6tgyEpH1nudZ0$=3Ukn2*o;yux;^xdZlF5g~xW7qeF$Oo2*I+)O&x)^!P zV>zg!wf||>B`~~2Py5~qwl=w`xqzgnR$wnlhd6gJ{FO4`3SgP^!&&ghvfyeK{Mjsc zUl#mW7Cey!e>Dq!4d4=7=F|^BruMD|T!PD-8UV_xS_f&9P%}~o7;R$QCfrHkP=nh5miw%)r^YKJrNas zdNiLwU$7+-Ze~$667mGwS$j;4f-~^r*{yi|yOkDqpbeznK!~-p`alSpZN3l^PqaP6 zz=5Z|le7K^Sb93#N=qQ*ZVTM!<0v>)6f96wF6ahV>+0*Os+E=YmG)J7eno|zt-u)I zh|c5xtb!t^&0Yl@K`jgar;U9H_}GE~%EQ1F_4o^DU`G4)56=+s?ez9rlt@InVTfV|wa|RsCrgX@FQ>;;T*nrO{xd`MU@c$KoPm8YjQtlotloJJiSk9Q-Goa?BPRZTJ3Xk$Yq*kp5IGMWo zRv<--80z~`k{o$Il}a7tJia(2M^5WJzSty326Y}^Ad(|L(|LSxNRB+M^Z3G$9C=LV z@kJpyvQOvn1tB@IN9XayAUWdJd3<3?j@+j6_=1oeaS{);pT%om!+8CH@3CWRCi%T4 zK4#*BCf;Y_cbfPn6TiX4yG;CA6TiyHulTSoe)=vs{(;>6m$8P%`rd*kAcAu5tVNux z{VT*jRdNZKe0EUoUF(L7+*@!bk~QOM33Tm8@M{8g?M11fqD5U09d=Yu&|kszS1m=d zn&@qKE#Vrsye@lQmjeTvMvrZj2ZyEj@xcq$_^HA1 zMN5vy$94}aSn_)Ol-ws4!1!=hmEXP2df3t~B8q{oxmTC*r4i24X_Eu-i3ZNfs@2jSeTzr&7tH>ju`i zCLVnIFy3O5Znwz$M#lm1%8C4|%OE4iUBfE|R%}* zG?VUOOVP`k*PHjoX2{*IqNj!GJTUk@8vFme+#SkCYYOyph##3>aY_%g-9TsYfkX|;80$?XC{E>rgw8{NpJ$Lwn3M7k69ib zh@I7RG6JNbExiYW1#q1b9^b6F@M$=YYzyFo_L^fak$F zHyfbm5!#Lrwop#&9QMlBFXa8N77RC|yM4!SSZv2z>|s>m^PO{Reec@c*D&V1y)J&n z*;E(*+}Y@iPc+HB%XR>~rGCkIdZTm*6v$VDI*fm{S~ z5y(X#7lHqA1T63s!dX>a@^LDKZ>A57rBW{dJpl9=(3?L=rP_dAolK?v2=r5+6F}F03abZLC_M0a zDpdn?6zBn<_#%zTa^GfV=_s~bHgkI6L4o6*fs^1D*8GgsOy{3Lu7WInekzCZ2Y@nL zajmU%ebL4D7Iv{)7Tmb>`l}WrjDB~(brST9-%k)%;Tiz^5Ku~3)&aPjQ2)0OblHj@ z$*Z0=+d~2F~BbQ^n-h}Jh(B7rEEF^om+iIPk$92%G2CmQGD*r5% z@*z-bEB=07ovrjytIH{xd`MUkc&Vr0=Wp}B9M!~H;Vx6C!_si@XF1T znQFT}8JkJPh(*UN!Ec+VW#$tv_NQGYc>ENKX@N!ptQHDRPZH&5)o$1FZNgAQU+6@XfUpyFyY4}OqXgzuOQ*$q9Rmp zvZp<9RQ?shp7h}32X7w~$07K(!}&hp4?f;-p6Uh5L(aDgIehuxJjI2o_ur!W{%w=P za?#%oK^p|!C1|^#U4kAIv|rFef({6JN>EcV|B)?pXex^1&XSm`c}uKzbF~s{*c?-K zY(h!Cq{(R?Ob6%Vc~x0hEe(O}K&EB{(y=V2)g zAcH3E52bzV1{ijAS{dzAPsj7w0~!4k=;JG-8A)BR#)rTYAmt`D=L!-!~kt6|@@QEFv0 zdrqP_P35ys__yOpRGXLcpi@p6H_d{A4KBo)*dI(bR|=fweZp^mj0Nf=J2V8#!&D2G zg-wk^5ODNQ&k@wc)Cre`O^s(C;F;>5tzFM>KXY0BV#t_MCO?O`PRW%18U)+|v$?sy zek1hF{r(=ur;eX7?q_QM_P~Ulm*Kvc1`WFe;?p3Wk2G)3<2WxQ?a#GC3ur6axYV)TbvI`Y($5 z@ZWI32G0}ChPagr|5WbJ1zs$0dN2AV;t(IR|Kos5;Ln_f0Eg&INlCyLPeEb6g6AUM zFL7bSf2&44Peg^E^kD~whfSVAQPiN~!BZ%BXv7;f9F3%W^Zjz&cl z_{kzoSifm22t9tEXE&(8Nhul?c!VnJxv0t7V3g9&GNsERVO0q+W{-9TRd+K`HKI{J z$ZL}}eB z#9Wv1NWTRat`*6i)(1o-kQo!ryM*DnKBN6Mv0fmG-{Xvlo;!rqLB?oL>kXn3DGF+~ z$LG~QV692@r}a3|GGQl{rBjv(Zjj?zoa|}+Li7*@7ZTPHv($cCHwOU2CX+p_bBKNc zGGh|%bZ8Ica4k*tv>qZ#@uT{a9?=KE9@pl?)4GZ1E>RN2nCdTJ)(aVoDcRHdiYWbF zK;@G?wf{+BUquc{K~SST+K`y+p9TzLLjK{AswF|qD+_b~KV`C)gdNcV;f{#OJ$u$< zKO_{0l72S(LneD#ClW=uF_Ax_zW|}J{q&wh^d(b+$&P%!X0oSsCsF#{i}X$I*c-y0 z`kzTcQ&6v9iJ0ww3j(Y^*?T2TlW3#H>VM7l?}Ef=e^}B~i8i3nkZAl6bQUtWb`;Z& zzAmQo>1KW6iGBjMMFxBNy>Hht03nf{#!d2sp9cYsT`Hf}ZS?;QP+;)>!$fw}kIw^! zP1Nnh?|pvpqTGi@hD7#6aouLLXAYrUuF*<^EoP})f@gv;`l9k34oy-i?9KXSezquI zsFPbp_Dgj{%V1qG87Yk&O``qv3x|CoaF+vYhl|=x^9TNpNp;sO#b43zxh5f%OS-r$ SF{yCT+?zCw1ttR%%l-{+uS#10 literal 0 HcmV?d00001 diff --git a/20210824_babyrev/solver.py b/20210824_babyrev/solver.py new file mode 100644 index 0000000..be8c862 --- /dev/null +++ b/20210824_babyrev/solver.py @@ -0,0 +1,55 @@ +from string import ascii_uppercase, ascii_lowercase + +check = [0x5f,0x40,0x5a,0x15,0x75,0x45,0x62,0x53,0x75,0x46,0x52,0x43,0x5f,0x75,0x50,0x52,0x75,0x5f,0x5c,0x4f] + +# Reverse memfrob() XOR +decrypted_check = [] +for c in check: + decrypted_check.append(c^42) + + + +# Finds the number of shifts for each position +def find_shifts(): + shifts = [] + for i in range(20): + a = 4*i + while(True): + if is_prime(a): + shifts.append(a % 26) + break; + a += 1 + return shifts + +# Returns True if n is prime, else returns False +def is_prime(n): + if n > 1: + # check for factors + for i in range(2,n): + if (n % i) == 0: + return False + else: + return True + + # if input number is less than + # or equal to 1, it is not prime + else: + return False + + +shifts = find_shifts() + +flag = "corctf{" + +for i in range(20): + c = decrypted_check[i] + if c >= 65 and c <= 90 : + flag += ascii_uppercase[(c - 65 - shifts[i]) % 26] + elif c >= 97 and c <= 122: + flag += ascii_lowercase[(c - 97 - shifts[i]) % 26] + else: + flag+=(chr(c)) +flag += "}" + +print(flag) + diff --git a/README.md b/README.md index fa190ae..021eeb1 100644 --- a/README.md +++ b/README.md @@ -50,3 +50,23 @@ Some tools/commands we used: * set debug level from cmdline: `./x.py DEBUG` * use `sendlineafter()` to consume all input and clear the input buffer * create `ELF` object and set `libc.address`, then refer to `libc.symbols['system']` + + +## 2021-08-24 + +The challenge babyrev comes from [corCTF](https://2021.cor.team/) and is about reverse engineering. + +We follow the same steps as in the hackmeeting held the 06-08-2021. +Once the binary is opened in ghidra/ida/radare2 it is pretty easy to grasp the goal of the challenge, the binary expects the flag as input. + +Tools we used to reverse the binary : + + * ghidra + * [man-pages](https://www.kernel.org/doc/man-pages/) + * python3 + +The team then tried other ways of getting the flag : + * use of [angr](https://angr.io/) to solve the challenge with symbolic execution + * use of [afl++](https://github.com/AFLplusplus/AFLplusplus) to solve the challenge by fuzzing a decompiled version where a crash was added if the flag was correct. + +